Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VFR error

Hi team,

we are getting eeror on our router.

004488: *Dec  7 06:34:17.602 UTC: %IP_VFR-3-OVERLAP_FRAGMENTS: FastEthernet0/0: from the host 203.18.137.116 destined to 99.88.45.237

4 REPLIES
Cisco Employee

VFR error

Hi,

This message informs you that the IP packet fragments arriving from the host 203.18.137.116 are overlapping, i.e. if the packet was to be put back together, parts of it would overlap and overwrite each other. The VFR (Virtual Fragmentation and Reassembly) is a feature on Cisco routers that keeps track of fragmented packets so that they can pass ACL checks as if they were unfragmented.

Overlapping fragments are most often caused by malicious intents, as correct IP packet fragmentation will never produce overlapping fragments. You can assume that either the 203.18.137.116 is intentionally creating a stream of overlapping fragments to confuse and/or interfere with the correct operation of the 99.88.45.237 (and routers/firewalls inbetween), or some device on the route between these two hosts has a faulty IP driver that creates overlapping fragments.

In any case, there is nothing you can do about it. It is not your fault, and the router is merely informing you about a suspicious flow of IP packets.

Best regards,

Peter

New Member

Re: VFR error

Hi peter,

Even we are receving packet drops when we ping to the router  inside interface.

every time destination ip is changing.Is there any way to prevent this?

Also we are receving error as

005024: *Dec  7 14:08:11.528 UTC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/0: the fragment table has reached its maximum threshold 64

Cisco Employee

Re: VFR error

Hello,

I am afraid you can't do much against the occurence of fragmented packets. You can try entering the following command on your IP-enabled interfaces:

no ip virtual-reassembly

This will deactivate the VFR functionality. You can safely do this if you are not using any ACLs on the affected device. If you do happen to use ACLs, you can use the command as well but you should keep an watchful eye on the traffic after deactivating the VFR, as some (fragmented) traffic may get incorrectly denied or permitted.

Best regards,

Peter

New Member

Re: VFR error

Hi  peter,

Today  i have  blocked udp port on that server which was exposed to internet.

Till evening i haven't recevied any log as mentioned.above.

662
Views
0
Helpful
4
Replies
CreatePlease to create content